Pages:
Author

Topic: Mixers using cloudflare's SSL certificates - page 2. (Read 736 times)

legendary
Activity: 3584
Merit: 5248
https://merel.mobi => buy facemasks with BTC/LTC
This post was written with a couple encounters with new mixer operators in mind... I won't point fingers, since i had several of these encounters over the last couple of years, so names don't really matter. It serves as a reference post i can point new mixers to when they implement a MITM in their workflow and show no intrest in fixing this.

In my experience dealing with new mixer operators, a discussion between the mixing operator and myself usually falls in this pattern:

  • Mixing owner: Look what a nice mixer i have, look at the nice pictures, look at all the bells and wistles, look at the fancy colors.... I even have moving images to keep you entertained while using my perfect service that is 100% anonymous in every way imaginable!
  • Me: hey OP, your mixer uses cloudflare's SSL certificates as a MITM and google analytics
  • Mixing owner: everybody is doing it, just have a look at our competitors
  • Me: It's not because everybody else is wrong, you have to be too
  • Mixing owner: some other lame excuse
  • Me: That's a lame excuse (but worded politely)
  • Mixing owner: we have a hidden service on tor
  • Me: most users wouldn't even know you're using cloudflare, so they won't switch to the tor mirror (if they even know how to do this)
  • Mixing owner: I'll put it on my todo list (under the section: "things to do when hell freezes over")

These discussions are defenately not limited to mixers, but should extend to any site that handles information you're not willing to share with law enforcement. It's perfectly fine to use cloudflare on your blog, your forum or on your site selling mouth masks.
It's not fine to use cloudflare on banking apps, ammo stores, mixers,...
I realise the irony that my own site is using cloudflare's ssl, but i don't handle any sensitive materials...

The following posts are grossly simplified. I tried to explain what's happening in terms so simple everybody could follow them. This, offcourse, means that if a tech-savvy person looks at the following posts, he'll say: "that's not completely correct, hey dude, you missed an important step". This is by design...

In order to show you what a bad idear implementing an MITM is, i'm going to work my way up from:
Part 1: A non-https site
to
Part 2: A https site using it's own certificate (aka, best case scenario)
to
Part 3: A https site behind cloudflare (where security goes wrong)

Last but not least
Part 4: A fictional example of somebody in a country where crypto is banned, using a cloudflare-ssl-using mixer with google analytics included,  and some general conclusions

You're probably best off if you read the parts in their correct sequence part 1 => part 2 => part 3 => part 4. This is because i sometimes skipped steps i already explained in a previous part.

I'll be splitting this post into 5 different posts, so i have some wiggle room for editing the content later on. If a mod thinks these posts should be joined, he/she is completely free to do so

Disclaimer: don't use mixers for mixing coins you received for providing illegal goods or services. That's not what the crypto ecosphere is all about. As a matter of fact, if you got your coins in an unethical way, i honestly hope you get caught...
Pages:
Jump to: